Description
Vulnerability in the Oracle Business Process Management Suite product of Oracle Fusion Middleware (component: Human workflow 11g+). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Business Process Management Suite. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Business Process Management Suite, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Business Process Management Suite accessible data as well as unauthorized read access to a subset of Oracle Business Process Management Suite accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
Published: 2026-04-21
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Data Modification and Read
Action: Apply Patch
AI Analysis

Impact

The Vulnerability lies within the Human workflow 11g+ component of Oracle Business Process Management Suite and permits an unauthenticated attacker possessing HTTP network access to perform unauthorized update, insert or delete operations and read restricted data. The attack requires a human actor, other than the attacker, to interact with the system, yet no system credential is needed to begin the exploitation sequence. Successful exploitation leads to confidentiality and integrity compromise for data exposed through the suite, as reflected by the CVSS 6.1 score and the CVSS vector components impacting confidentiality and integrity.

Affected Systems

The affected installations are Oracle Business Process Management Suite versions 12.2.1.4.0 and 14.1.2.0.0, which are part of Oracle Fusion Middleware. The vulnerability may also affect other products that interact with or rely on the Human workflow component in these version lines.

Risk and Exploitability

The CVSS 3.1 base score of 6.1 indicates medium severity, and the EPSS score is < 1%, indicating a very low but non‑zero likelihood of exploitation. The vulnerability is not flagged in the CISA KEV catalog. Because the attack vector is network via HTTP and requires no authenticated access, the risk of a successful attack is non‑negligible; however, the necessity of a human interaction limits the efficiency of automated exploitation campaigns.

Generated by OpenCVE AI on April 28, 2026 at 21:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official Oracle security patch for BPS Human workflow 11g+ covering versions 12.2.1.4.0 and 14.1.2.0.0
  • Restrict inbound HTTP traffic to the Business Process Management Suite servers to trusted IP addresses or apply firewall rules to block unnecessary external access
  • Disable or limit the Human workflow component if it is not required for business processes
  • Monitor system logs for unauthorized data modification or read activity and investigate incidents promptly

Generated by OpenCVE AI on April 28, 2026 at 21:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated HTTP Access Enables Unauthorized Data Modification in Oracle Business Process Management Suite

Tue, 28 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
Title Unauthenticated HTTP Access Allows Unauthorized Data Modification in Oracle Business Process Management Suite
Weaknesses CWE-287

Wed, 22 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
CWE-601
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 03:00:00 +0000

Type Values Removed Values Added
Title Unauthenticated HTTP Access Allows Unauthorized Data Modification in Oracle Business Process Management Suite
Weaknesses CWE-287

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle Business Process Management Suite product of Oracle Fusion Middleware (component: Human workflow 11g+). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Business Process Management Suite. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Business Process Management Suite, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Business Process Management Suite accessible data as well as unauthorized read access to a subset of Oracle Business Process Management Suite accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
First Time appeared Oracle
Oracle business Process Management Suite
CPEs cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:business_process_management_suite:14.1.2.0.0:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle business Process Management Suite
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Oracle Business Process Management Suite
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-04-22T17:15:09.016Z

Reserved: 2026-03-26T19:48:45.676Z

Link: CVE-2026-34284

cve-icon Vulnrichment

Updated: 2026-04-22T15:39:25.364Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-21T21:16:32.973

Modified: 2026-04-23T18:50:06.387

Link: CVE-2026-34284

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T21:30:26Z

Weaknesses